Registry analysis in digital forensics

CMIT 424: Digital Forensics Analysis and Application

Lab 5: Reconstruct System Usage Using Registry and Other System Files
Introduction
This lab builds upon the acquisition, processing, and analysis techniques that you learned and practiced in earlier labs in this course.

In this lab, you will practice finding, recovering, and analyzing system usage information for a Windows 7 computer system. Before you begin, you should review the following readings, which address analytical processes and techniques used to recover and evaluate information about system usage.

1. FTK Registry Viewer User Guide (access the PDF file from the Registry Viewer help menu)

2. FTK User Guide (access the PDF file from the FTK help menu)

a. Chapter 16, "Using the Examiner Interface"

b. Chapter 17, "Exploring Evidence"

c. Chapter 18, "Examining Evidence in the Overview Tab"

d. Chapter 22, "Examining Miscellaneous Evidence"

e. Chapter 23, "Bookmarking Evidence"

f. Chapter 32, "Working with Evidence Reports"

g. Chapter 35, "Working with Windows Registry Evidence"

Lab 5 Scenario and Case Questions
A laptop from the offices of Practical Applied Gaming Solutions, Inc., has been sent to your lab for analysis. This laptop was returned to the company by a former employee several weeks after the employee's unexpected resignation.

During case triage, it was determined that VMWare was installed on the laptop. Several folders containing virtual machines were also found. A forensic image (E01 format) was created from each of the virtual disks (VMDK files) by a forensic technician using FTK Imager.

You have been asked to contribute to the investigation by reconstructing the usage of one of the virtual machines from the contents of the associated VMDK file. The chain-of-custody log states that this file contains a Windows 7 system disk.

The lead investigator has asked you to address the following case questions during your examination of the evidence. (Ignore the Internet cache and index files for this lab; you will analyze and report on them in Lab 6.)

1. When was the Windows 7 image created (installed in the VM), and during what time period was it in use?

2. What software applications were loaded and available for use in the VM?

3. Who used the Windows 7 VM? (More than one user?)

4. What was the Windows 7 VM used for?

5. Was the VM used regularly or repeatedly?

6. Are there indications of an intent to hide or obscure how the VM was used?

7. Are there indications of an intent to use the VM to facilitate illegal or unethical behavior? (Unethical includes actions that are contrary to the employer's best interests or that violate the company's Acceptable Use Policy governing use of company resources—i.e., the laptop on which the VM was found.)

Lab 5 Overview
In this lab you will search for, recover, and analyze system usage information from a forensic image provided by your instructor. At a minimum, you should perform the following tasks:

· Analyze the Windows Registry to recover information about the Windows 7 operating system and how it was used.

· Analyze the contents of system log files, link files (shortcuts), and prefetch files.

· Reconstruct user-level system usage using information recovered from folders and files stored in user profiles.

· Analyze the contents of the recycle bin.

· Reconstruct system-level usage information found in the file system metadata (use the information shown in the file list pane).

· Construct a timeline showing significant system usage events, such as boot, shutdown, installation of software, installation of patches or updates, user logins, etc.

· Note: The provided forensic image has been modified for training purposes.

· The virtual disk is no longer bootable.

· Files whose contents are not required for this examination have been overwritten with 0x00 (securely wiped).

· The file system data structures have not been modified; the original directory entries remain intact.

As you complete your analysis for this lab, you will need to keep track of specific files that provide forensically important information for your analysis and reporting. In previous labs, you used an annotated file inventory for this purpose. In this lab, you will learn two more methods:

· checked files (see Chapter 17, FTK User Guide) and

· bookmarks (see Chapter 23, FTK User Guide)

Both of these tracking features are accessed in the file list pane by right-clicking on the filename and then selecting the feature from the pop-up menu. You can also access the case Bookmarks using the Bookmarks tab at the top of the Examiner Window.

In Guided Practice #1, you will examine the contents of the Windows 7 registry. Your examination of the individual Windows 7 registry hives should provide you with the following information and/or answers to questions listed below. You will need this information to answer the case questions. In this part of the lab, you will also generate a registry report that documents the associated keys and key values.

· Operating system version.

· Installation date.

· Registered owner. (Is there something odd about this?)

· Computer name.

· Current time zone.

· Fixed hard drives (virtual drives) used in the VM (mounted devices).

· Removable USB media used in the VM. What are the manufacturer and serial numbers of the USBs?

· Installed software (provide a list of all sub keys showing user-installed software packages; add rows as necessary). Pay attention to the last written dates for keys. Keys prior to the installation date represent software that is part of the Windows 7 package and, for this lab, should not be included in your list of installed software.

· Installed software for individual users (find and process the NTUSER.DAT file for each user on the system; this file contains the HKCU hive).

· Recent files accessed by individual users (find and process the NTUSER.DAT file for each user on the system; this file contains the HKCU hive).

· Most recently used (MRU) items including software applications and files.

· Any additional keys you found to be helpful in determining how this VM was used, when it was used, and who used it.

In Guided Practice #2, you will examine the contents of link files (shortcut files), log files, and prefetch files recovered from the virtual disk. (You may need to research the format and usage for specific file types to learn more about what they can tell you regarding system usage.) The file contents provide information about events that occurred or actions that were performed, and possibly also when those events occurred. The locations of these files will provide information as to who (system or a specific user account) performed the actions captured in the contents and metadata. When reviewing these files, be sure to examine both the contents and the file properties using the file contents pane. In this part of the lab, you will mark files of forensic interest (ones that you will use to answer the case questions) using checked files and Bookmark categories. You will then generate an FTK report that lists the files (by file path), the Bookmark categories, and the files included under each bookmark.

Before you begin this part of the lab, you should decide upon the format that you will use to create your system usage timeline. Your timeline could be presented in a table in a Microsoft Word document or as an Excel spreadsheet. The important thing to remember is that your timeline should clearly show the events that are of forensic interest and the date/time of occurrence for each event. You should also list the files that provided the information about each event. Below is a suggested table format for a system usage timeline. This format can be used in either Microsoft Word or Microsoft Excel.

Date/Time

Event

Description

Files or Artifacts created or modified

In Guided Practice #3, you will generate an inventory of selected folders and files from the forensic image of the virtual disk. You will use this inventory to construct a tentative timeline of events and identify file/folder entries that can provide answers to the case questions. For this part of the lab, your analysis is restricted to file properties and directory-level information—file paths, creation dates, last access dates, last modified dates, etc.

In Guided Practice #4, you will write a lab report memo (three to five pages maximum) in which you document your answers to the case questions. Each answer must be supported by information contained in the forensic image and you must identify which artifacts (files or folders) support your answers. Provide your supporting documentation, i.e., registry reports, file inventory, and timeline of system usage, as a single zip archive. The registry reports, file inventory and timeline files should be submitted in a single zip file archive; this documentation is not counted in the lab memo page count.

Required Software
· Forensic Toolkit

· FTK Registry Viewer

· WinHex

· MS Office (Word, Excel, PowerPoint)

· Adobe Reader (or another PDF file viewer)

· Web browser

Required Software
· Forensic Toolkit

· FTK Registry Viewer

· MS Excel (or equivalent spreadsheet application)

Deliverables
1. Incident Investigation Summary Report (5-8 pages with tables / screen shots)

Prepare a memo-format report summarizing answers to the case questions and providing documentation as to the tools, techniques, and procedures used in this lab. Your report should include high-level analysis summaries in table format for:

a. Registry Analysis & Values of Important Keys (GP#1)

b. System Usage Data (GP#2)

c. Meta Data Analysis of Important Files (GP#3)

Note: Your “high level summaries” of your analysis results should be *summaries* not a compendium of every piece of information found in the image. Focus on providing data which provides support to your answers to the case questions. Irrelevant information should not be included.

2. System Usage Timeline

This table will be created in Guided Practice #3.

Grading for Lab Deliverables
1. Incident Investigation Summary Report 60%

a. Overview 15%

b. Findings & Answers to Case Questions 15%

c. Summary Tables 15%

d. Description of Analysis & Processing 15%

2. System Usage Timeline 25%

3. Professionalism 15% (formatting, grammar, spelling, punctuation, etc.)

Lab 5 Outcomes
Lab 5 Outcomes

Course Outcomes for Lab 5

· reconstruct system usage using Windows Registry and other system files

· perform and document timeline analysis

· prepare brief report summarizing findings and answering case questions

· apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital artifacts

· select and apply the most appropriate methodology to extract data based on circumstances and reassemble artifacts from data fragments

· analyze and interpret data collected and report outcomes in accordance with incident response handling guidelines